[Noisebridge-discuss] Assignment for tomorrow's web dev lab!

Jeffrey Carl Faden jeffreyatw at gmail.com
Thu Feb 16 11:42:56 PST 2012


So it's basically an issue with *any* website that is loaded or requests
resources via HTTP. That makes sense, and I do mention throughout the class
how sensitive information should be submitted over HTTPS (especially when
on a public network like "noisebridge").

I don't think this is an extremely pressing concern, but Seth's right in
that it's good practice. Stuff from CDNs should be loaded via HTTPS when
possible. My problem is that loading HTTPS content on an HTTP page (or vice
versa) causes those annoying "some resources were sent unsecurely" messages
to pop up in IE. (I usually handle that issue by removing the protocol
entirely in href/src attributes, like "//www.google.com/..." so the request
matches the protocol of the current document.)

Jeffrey

On Thu, Feb 16, 2012 at 11:18 AM, Gopiballava Flaherty <
gopiballava at gmail.com> wrote:

> I've heard of proof of concept demos for hijacking streams. Basically, the
> attacker on WiFi responds to the TCP SYN request faster than the web site
> itself. The example I saw showed people whose HTTP image requests all
> returned goatse.
>
> https checks the certificate of the remote site. You could do this for
> https but the certificate wouldn't match.
>
> Thanks,
>
> gopi at iPhone
>
>
> On Feb 16, 2012, at 10:59, Jeffrey Carl Faden <jeffreyatw at gmail.com>
> wrote:
>
> Are you suggesting that an outgoing HTTP GET request can be hijacked and
> the information that's returned could be script other than jQuery? I'd be
> interested in understanding more how that works, and how requesting
> resources over HTTPS prevents that.
>
> Jeffrey
>
> On Wed, Feb 15, 2012 at 11:33 PM, Seth David Schoen <schoen at loyalty.org>wrote:
>
>> Jeffrey Carl Faden writes:
>>
>> > Hey dudes,
>> >
>> > First Frontend Web Development lab meets tomorrow, Thursday at 8pm.
>> >
>> > If you want to get a head start on the assignment or just think it
>> over, I've uploaded it here:
>> > http://jeffreyatw.com/static/frontend/class12/assignment.html
>>
>> Can you please have your students load jQuery from
>>
>> https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
>>
>> rather than your existing suggestion of
>>
>> http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
>>
>> and correspondingly for jQuery Validation?  In the existing case a network
>> attacker can completely pwn their web applications, _even if they're
>> loaded
>> from localhost or from local HTML instead of from any web server_.
>>
>> --
>> Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
>>     http://www.loyalty.org/~schoen/        |  means I've no incentive to
>>  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti
>>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120216/2a88c0a6/attachment.htm 


More information about the Noisebridge-discuss mailing list